9. Bastion SSH Config
Change Port from 22
Port 2222
Disable password logins/auth
PasswordAuthentication no
Disable PAM
UsePAM no
10. Bastion IPTABLES
DENY!!!!!
/etc/sysconfig/iptables
...
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [237:32957]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
COMMIT
11. Bastion User
Create a secure user group
sudo /usr/sbin/groupadd moat
Create a “keymaster”
Generate and
upload an SSH key
13. Protected Server
Iptables
...
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
...
-A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT
# HTTP and HTTPS
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
14. SSH
Proxy through moat to access remote machines
Host app001
Hostname app-001.blackboxservers.com
User app_user
ProxyCommand ssh -q -p 2222 $MOAT_USER@moat-001.blackboxservers.com nc %h 22
To SSH, just export your name and go!
$> export MOAT_USER=george
$> ssh app001
george@app-001.blackboxservers.com's password: